> The web server has two network connections, but has IP forwarding
> disabled. Processes coming in from one network see all file systems
> as read-only (making /tmp RO is an option), and there is no mechanism
> for bypassing that, even if the process is root. All device special
> files are complete inaccessible to all processes and all users -- also
> mknod(2) is disabled. If a user comes in from the other network,
> he/she can access the system normally, except that UID 0 (root) is
> treated as a normal account in terms of OS privilege, so attacks from
> this direction are also more tightly controlled (special programs
> are provided to manage the system instead of using a special account
> such as root).
>
> +------------+
> <-------------->| Secured |<-------------->
> internal network | Web Site | Internet/PublicNet
> (RW file systems) +------------+ (RO file systems)
>
> When a Solaris host (x86 or SPARC) has been updated with this level
> of security, you can still use the r* commands, telnet, ftp, and
> even NFS from either side. You can have the RO restriction be done
> on a per-file basis as well, so you can be creative about your setup.
How do you do this?
Chris
--
Chris Garrigues O- cwg @
DeepEddy .
Com
Deep Eddy Internet Consulting +1 512 432 4046
609 Deep Eddy Avenue
Austin, TX 78703-4513 http://www.DeepEddy.Com/~cwg/
Attachment:
pgpTPhfXPpl6l.pgp
Description: PGP signature
References:
|
|
